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Abstract 

Garg and Abadi recently proved that prominent access control logics can be translated in a 
sound and complete way into modal logic S4. We have previously outlined how normal multi- 
modal logics, including monomodal logics K and S4, can be embedded in simple type theory 
(which is also known as higher-order logic) and we have demonstrated that the higher-order 
theorem prover LEO-II can automate reasoning in and about them. In this paper we combine 
these results and describe a sound and complete embedding of different access control logics 
in simple type theory. Employing this framework we show that the off the shelf theorem 
prover LEO-II can be applied to automate reasoning in prominent access control logics. 

1 Introduction 

The provision of effective and reliable control mechanisms for accessing resources is an important 
issue in many areas. In computer systems, for example, it is important to effectively control the 
access to personalized or security critical files. 

A prominent and successful approach to implement access control relies on logic based ideas 
and tools. Abadi's article [1] provides a brief overview on the frameworks and systems that have 
been developed under this approach. Garg and Abadi recently showed that several prominent 
access control logics can be translated into modal logic S4 [15]. They proved that this translation 
is sound and complete. 

We have previously shown [7] how multimodal logics can be elegantly embedded in sim- 
ple type theory (STT) [12, 5] — which is widely also known as higher-order logic (HOL). We 
have also demonstrated that proof problems in and about multimodal logics can be effectively 
automated with the higher theorem prover LEO-II. 

In this paper we combine the above results and show that different access control logics can 
be embedded in STT, which has a well understood syntax and semantics [19, 4, 3, 6]. 

The expressiveness of STT furthermore enables the encoding of the entire translation from ac- 
cess control logic input syntax to STT in STT itself, thus making it as transparent as possible. Our 
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embedding furthermore demonstrates that prominent access control logics as well as prominent 
multimodal logics can be considered and treated as natural fragments of STT. 

Using our embedding, reasoning in and about access control logic can be automated in the 
higher-order theorem prover LEO-II [9]. Since LEO-II generates proof objects the entire transla- 
tion and reasoning process is in principle accessible for independent proof checking. 

This paper is structured as follows: Section 2 reviews background knowledge and Section 
3 outlines the translation of access control logics into modal logic S4 as proposed by Garg and 
Abadi [15]. Section 4 restricts the general embedding of multimodal logics into STT [7] to an 
embedding of monomodal logics K and S4 into STT and proves its soundness and completeness. 
These results are combined in Section 5 in order to obtain a sound and complete embedding 
of access control logics into STT. Moreover, we present some first empirical evaluation of the 
approach with the higher-order automated theorem prover LEO-II. Section 6 concludes the paper. 

2 Preliminaries 

We assume familiarity with the syntax and semantics and of multimodal logics and simple type 
theory and only briefly review the most important notions. 

The multimodal logic language ML is defined by 

s,t ::= p\-is\s\/t\O r s 

where p denotes atomic primitives and r denotes accessibility relations (distinct from p). Other 
logical connectives can be defined from the chosen ones in the usual way. 

A Kripke frame for ML is a pair (W, (R r ) r€ i), where W is a non-empty set (called possible 
worlds), and the R r are binary relations on W (called accessibility relations). A Kripke model 
for ML is a triple (W, (R r ) re i, |=), where (W, (R r )rei) is a Kripke frame, and |= is a satisfaction 
relation between nodes of W and formulas of ML satisfying: w \= -<s if and only if w \/= s, w |= s V t 
if and only if w |= s or w \= t, w |= D r s if and only if for all u with R r (w, u) holds u |= s. The 
satisfaction relation |= is uniquely determined by its value on the atomic primitives p. A formula 
s is valid in a Kripke model (W, (R r ) r eh H)> if w H s f° r all w EW. s is valid in a Kripke frame 
(W, (R r )ra) if it is valid in (W, (R r ) r€ i, |=) for all possible |=. If s is valid for all possible Kripke 
frames (W, (R r ) re j) then s is called valid and we write \= K s. s is called 54- valid (we write |= 54 s) 
if it is valid in all reflexive, transitive Kripke frames (W, (R r ) r€ i), that is, Kripke frames with only 
reflexive and transitive relations R r . 

Classical higher-order logic or simple type theory STT [5, 12] is a formalism built on top of 
the simply typed A -calculus. The set 2? of simple types is usually freely generated from a set of 
basic types {o, t} (where o denotes the type of Booleans) using the function type constructor — >. 

The simple type theory language STT is defined by (a,/3,o G 3^): 

s,t ::= 

Pa \Xa I (kX a . Sp ) a _>£ | (s a ^p t a )p\ (-i ^ S ) 1 (s V () ^o^o t )o I (ri(a^o)^o %^o)o 

p a denotes typed constants and X a typed variables (distinct from p a ) . Complex typed terms 
are constructed via abstraction and application. Our logical connectives of choice are -i _> , 
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Vo^o^o and IT( a ^ )^. (for each type a). From these connectives, other logical connectives can 
be defined in the usual way. We often use binder notation VX a .s for (Tl( a ^ ^ (A,X a .s )). We 
denote substitution of a term A a for a variable X a in a term Bp by [A/X]B. Since we consider de- 
conversion implicitly, we assume the bound variables of B avoid variable capture. Two common 
relations on terms are given by /3-reduction and rj-reduction. A /3-redex (XX.s)t /3-reduces to 
[t/X]s. An r/-redex (XX. sX) where variable X is not free in s, T]-reduces to s. We write s=pt to 
mean s can be converted to t by a series of /3-reductions and expansions. Similarly, s—p^t means 
s can be converted to t using both /3 and r\ . 

Semantics of 57T is well understood and thoroughly documented in the literature [6, 3, 4, 19]; 
our summary below is adapted from Andrews [2]. 

A frame is a collection {D a } ae £? of nonempty domains (sets) D a , such that D a = {T,F} 
(where T represents truth and F represents falsehood). The D a ^p are collections of functions 
mapping D a into Dp. The members of D t are called individuals. An interpretation is a tu- 
ple ({D a } ae ^J) where function / maps each typed constant c a to an appropriate element of 
D a , which is called the denotation of c a (the denotations of -1, V and fl are always chosen 
as intended). A variable assignment maps variables X a to elements in D a . An interpreta- 
tion ({D a } ae fJ) is a Henkin model (general model) if and only if there is a binary func- 
tion V such that £ D a for each variable assignment § and term s a E L, and the follow- 
ing conditions are satisfied for all and all s,t E L: (a) y<f,X a = §X a , (b) f^Pa = Ipa, (c) 
^<!>( s cc^l3ta) = {^s a ^p)(Y^t a ), and (d) Y^(XX a .sp) is that function from D a into Dp whose 
value for each argument z E D a is V[ z /x a ],$ s fi> where [z/X a ],<j> is that variable assignment such 
that {[z/X a U)X a = zand ([z/X o ],0)fy = 0fy iffy ^Xa. 1 

If an interpretation ({5 a }ae^J) is a Henkin model, the function % is uniquely determined. 
An interpretation ({D a } ae ^,7) is a standard model if and only if for all a and /3, D a ^p is the 
set of all functions from D a into Dj3 . Each standard model is also a Henkin model. 

We say that formula A E Lis valid in a model {{D a } ae $-J) if an only if YqA = T for every 
variable assignment 0. A model for a set of formulas H is a model in which each formula of H is 
valid. 

A formula A is Henkin- valid (standard-valid) if and only if A is valid in every Henkin (stan- 
dard) model. Clearly each formula which is Henkin- valid is also standard- valid, but the converse 
of this statement is false. We write \= STT A if A is Henkin-valid and we write T |= 57T A if A is 
valid in all Henkin models in which all formulas of T are valid. 



'Since I—i, /V, and /II are always chosen as intended, we have ^ (-15) = T iff Y^s = F , ^ (sV t) = T iff 
"fys = T or i^t = T, and ^ {VX a .s ) = V$ (U a (XX a .s f ,)) = T iff for all z e D a we have s = 7\ Moreover, 

we have ^ s = ^ f whenever s—p^t. 
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3 Translating Access Control Logic to Modal Logic 

The access control logic ICL studied by Garg and Abadi [15] is defined by 

s::= p\s\ /\ S2\s\ V ^2 | ^i D £2 | -L | T | A says s 

p denotes atomic propositions, A, V, D, _L and T denote the standard logical connectives, and 
A denotes principals, which are atomic and distinct from the atomic propositions p. Expressions 
of the form A says s, intuitively mean that A asserts (or supports) s. ICL inherits all 
inference rules of intuitionistic propositional logic. The logical connective says satisfies the 
following axioms: 

h5 D (A says s) (unit) 
h (A says (s D t)) D (A says s) D (A says t) (cue) 
h (A says A says s) D (A says s) (idem) 

Example 3.1 (from [15]) We consider a file-access scenario with an administrating principal 
admin, a user Bob, one file f ilel, and the following policy: 

1. If admin says that file 1 should be deleted, then this must be the case. 

2. admin trusts Bob to decide whether f i le 1 should be deleted. 

3. Bob wants to delete file 1. 

This policy can be encoded in ICL as follows: 

(admin says deletef ilel) D deletef ilel (1-1) 
admin says ((Bob says deletef ilel) D deletef ilel) (1.2) 
Bob says deletef ilel (1.3) 

The question whether f ilel should be deleted in this situation corresponds to proving 
deletef ilel (1.4), which follows from (1.1)-(1.3), (unit), and (cue). 

Garg and Abadi [15] propose the following mapping [.] of ICL formulas into modal logic 
S4 formulas (similar to Godels translation from intuitionistic logic to S4 [16], but providing 
a mapping for the additional connective says ; we refer to Garg and Abadi [15] for a brief 
discussion of the intuition of the mapping of says). 

\p] = o P 

\sAt] = \s] A |Y| m = T 

\sVt] = \s]V\t] M = J- 

\ 5Dt ] = a(\s]D\t]) [A says s] = □(AVfs]) 

Logic ICL^ extends ICL by a speaks-for operator (represented by =^ ) which satisfies the 
following axioms: 
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h A =>- A (refl) 

h (A =>• B) D (B =>- C) D (A =>- C) (trans) 

h (A =>- 5) D (A says s) D (B says 5) (speaking-for) 

h (5 says (A ==>- 5)) D (A =>- B) (handoff) 

The use of the new =>- operator is illustrated by the following modification of Example 1 . 

Example 3.2 (from [15]) Bob delegates his authority to delete f ilel to Alice (see (2.3)), 



who now wants to delete f i 1 e 1 . 

(admin says deletef ilel) D deletef ilel (2.1) 

admin says ((Bob says deletef ilel) D deletef ilel) (2.2) 

Bob says Alice =^ Bob (2.3) 

Alice says deletef ilel (2.4) 



Using these facts and (handoff) and (speaking-for) one can prove deletefilel (2.5) 

The translation of ICL^ into S4 extends the translation from ICL to S4 by 

[A =>- B] = D(A D B) 

Logic ICL B differs from ICL by allowing that principals may contain Boolean connectives (a 
denotes atomic principals distinct from atomic propositions): 

A, B ::=a\A AB\A VB]A D B|_L|T 

ICL B satisfies the following additional axioms: 

h (_L says s) D s (trust) 
If A = T then h A says _L (untrust) 

h ((A D B) says 5) D (A says 5) D (B says 5) (cue') 

Abadi and Garg show that the speaks-f or operator from ICL^ is definable in ICL B . The 
use of ICL B is illustrated by the following modification of Example 1. 

Example 3.3 (from [15]) admin is trusted on deletefilel and its consequences (3.1). 
(3.2) says that admin further delegates this authority to Bob. 

(admin says _L) D deletefilel (3.1) 
admin says ((Bob D admin) says deletefilel) (3.2) 
Bob says deletef ilel (3.3) 

Using these facts and the available axioms one can again prove deletefilel (3.4). 

The translation of ICL B into S4 is the same as the translation from ICL to S4. However, the map- 
ping [A says s] = D(A V \s] ) now guarantees that Boolean principal expressions A are mapped 
one-to-one to Boolean expressions in S4. 

Garg and Abadi prove their translations sound and complete: 

Theorem 3.4 (Soundness and Completeness) h s in ICL (resp. ICLr' and ICL B ) if and only if 
h \s] in S4. 



Proof: See Theorem 1 (resp. Theorem 2 and Theorem 3) of Garg and Abadi [15]. 



q.e.d 
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4 Embedding Modal Logic in Simple Type Theory 

Embeddings of modal logics into higher-order logic have not yet been widely studied, although 
multimodal logic can be regarded as a natural fragment of STT. Gallin [13] appears to mention 
the idea first. He presents an embedding of modal logic into a 2-sorted type theory. This idea 
is picked up by Gamut [14] and a related embedding has recently been studied by Hardt and 
Smolka [17]. Carpenter [11] proposes to use lifted connectives, an idea that is also underlying 
the embeddings presented by Merz [21], Brown [10], Harrison [18, Chap. 20], and Kaminski and 
Smolka [20]. 

In [7] we pick up and extend the embedding of multimodal logics into STT as studied by 
Brown [10]. The starting point is a characterization of multimodal logic formulas as particular X- 
terms in STT. A distinctive characteristic of the encoding is that the definiens of the D R operator 
A-abstracts over the accessibility relation R. As is shown in [7] this supports the formulation of 
meta properties of encoded multimodal logics such as the correspondence between certain axioms 
and properties of the accessibility relation R. And some of these meta properties can be efficiently 
automated within our higher-order theorem prover LEO-II. 

The general idea of this encoding is very simple: Choose base type i and let this type denote 
the set of all possible worlds. Certain formulas of type i — > o then correspond to multimodal 
logic expressions, whereas the modal operators -i, V, and O r itself become A-terms of type 
(l — > o) — > (l — > o), (l — > o) — > (l — > o) — > (l — > o), and (l — > l — > o) — > (l — > o) — > (l — > o) 
respectively. Intuitively, a multimodal formula of type i — > o denotes the set of worlds in which 
it is true. 

The mapping [.J translates formulas of multimodal logic ML into terms of type i — > o in STT: 





= Pi^o 




= Pi^o 


W 


= r i—>i^>o 


r 


= r w 




= AXj.-.(LjJX) 


1 — 1 1 


= XA^oAX^AX) 


[s Wj 


= AX 1 .([5JX)V(L?JX) 


| V| 


= XA l ^ .XB l ^ .XX l .(AX) y(BX) 


[D r s\ 


= Ax l .vy l .(Lrjxy)=^([5jr) 


!□ | 


= XRi—>i—> q . XA 1 —+q. 



XX l .W l .(RXY) =>• (AY) 



The expressiveness of STT (in particular the use of A -abstraction and /3 17 -conversion) allows us 
to replace mapping [• J by mapping | . | which works locally and is not recursive. 2 

It is easy to check that this local mapping works as intended. For example, 

in^vn^l-lvKlnllrllpDdnllrll^D^L^vn^J 



2 Note that the encoding of the modal operators U r is chosen to explicitly depend on an accessibility relation r 
of type 1 — > 1 — > o given as first argument to it. Hence, we basically introduce a generic framework for modeling 
multimodal logics. This idea is due to Brown and it is this aspect where the encoding differs from the LTL encoding 
of Harrison. The latter chooses the interpreted type num of numerals and then uses the predefined relation < over 
numerals as fixed accessibility relation in the definitions of □ and O. By making the dependency of U r and O r on 
the accessibility relation r explicit, we cannot only formalize but also automatically prove some meta properties of 
multimodal logics as we have demonstrated in [7]. 
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Further local definitions for other multimodal logic operators can be introduced this way. 
For example, | D | = XA l ^ .XB l ^ .XX l .(AX) =>- (BX), \±\ = XA l ^ .±, |T| = AA t ^ .T, and 
| A | = XA l ^ .XB l ^ .XX l . (AX) A (BX). 

A notion of validity for the A -terms (of type i — > o) we obtain after definition expansion is still 
missing: We want A t ^ to be valid if and only if for all possible worlds w t we have (A t ^ w t ), 
that is, wGA. This notion of validity is also introduced as a local definition: 

|Mval| := XA l ^ .VW l .AW 

Garg and Abadi's translation of access control into modal logic as presented in Section 3 
is monomodal and does not require different O r -operators. Thus, for the purpose of this paper 
we restrict the outlined general embedding of multimodal logics into 57T to an embedding of 
monomodal logic into STT. Hence, for the remainder of the paper we assume that ML provides 
exactly one D r -operator, that is, a single relation constant r. 

We next study soundness of this embedding. Our soundness proof below employs the follow- 
ing mapping of Kripke frames into Henkin models. 

Definition 4.1 (Henkin model M K for Kripke Model K) Given a Kripke model K = (W, (R r ) , 
|=). The Henkin model M K = ({D a } ae ^,I) for K is defined as follows: We choose the set of 
individuals D t as the set of worlds W and we choose the D a _,p as the set of all functions from 
D a to Dp. Let p , . . . ,p m for m > 1 be the atomic primitives occuring in modal language ML. 
Remember that O r is the only box operator of ML. Note that \pi\ = p{-> and \r\ = r HHC . Thus, 
for 1 < i < m we choose lp[^ a G D t ^ such that (Ip{^ )(w) = T for all w G D t with w \= p-> in 
Kripke model K and (Ip{^ )(w) = F otherwise. Similarly, we choose Ir l ^ l ^ a G D l ^ i ^ such 
that (7r l _ ) . l _ i . )(w,w / ) = T if R r (w,w') in Kripke model K and (Iri-, l ^ )(w,w r ) = F otherwise. 
Clearly, if R r is reflexive and transitive then, by construction, Ir^^o is so as well. It is easy 
to check that M K = ({D a } ae ^J) is a Henkin model. In fact it is a standard model since the 
function spaces are full. 

Lemma 4.2 Let M K = ({D a } ae ^J) be a Henkin model for Kripke model K = (W, (Ri)^/, \=). 
For all q G L, w G W and variable assignments the following are equivalent: ( i) w \= q, ( ii) 
^[w/wu ( [<l\ W) = T, and (Hi) V[ w / Wl \,<$> (\<l\ W) = T. 

Proof: We prove (i) if and only if (ii) by induction on the structure of q. Let q = p for some 
atomic primitive p G L. By construction of M K , we have f[ w /Wi},0 ( LfJ W) = ^[w/w;],0 (Pi^o W) = 
(Ipi^o)(w) = T if and only if w \= p. Let p = ->s. We have w |= -<s if and only w \/= s. By 
induction we get V[ w / Wi ],<i> ( L^J W) = F and hence f[ w / Wi \^ A k| W) =p n *[ w /wfl,* ( b*J W) = T. 
Let p = (sVt). We have w y=(sVt) if and only if w \=sovw ty=t. By induction, '^[ w /w l ] <j> ( l s \ W) = 
T or r [w/WiU ( [t\ W) = T. Thus f [w/WiU ( [s\ W) V ( [t\ W) = Pv Y [w/WiU ([sVt\ W) = T. Let 
q = O r s. We have w\=O r s if and only if for all u with R r (w, u) we have u \= s. By induction, for 
all u withfl>, u) we have Y [u/Vi]4 ( |*J V) = T. Hence, f [u/VlUw/WlU (([r\WV)^( [s\ V)) = T 
and thus y [w/WiU (W t . (( [r\ WY)=>( [s\ Y))) = M Y [w/WiU ( [_D r s\ W) = T. 

We leave it to the reader to prove (ii) if and only if (iii). q.e.d 
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We now prove soundness of the embedding of normal monomodal logics K and 54 into STT. 
In the case of 54 we add axioms that correspond to modal logic axioms T (reflexivity) and 4 
(transitivity). 3 Here we call these axiom R and T. 

Theorem 4.3 (Soundness of the Embedding of K and 54 into STT) Let s G ML be a mono- 
modal logic proposition. 

1. If^ STT \Mval s\ then \= K s. 

2. If {R,T} \= stt \Mval s\ then |= 54 s, where R and T are shorthands for 
VX^o^Mval n r XDX \ andVX l ^ .\Mval a r Xo>a r D r X\ respectively. 

Proof: 

(1) The proof is by contraposition. For this, assume Y= K s, that is, there is a Kripke model K = 
(W, (R r ), \=) with w y= s for some w G W. By Lemma 4.2, for arbitrary we have "^r w /w,],0 W) = 
F in Henkin model M K for K. Thus, ^ (VWj. W) = ^|Mvals| =F. Hence, ^ STT |Mvals|. 

(2) The proof is by contraposition. From \/= S4 s we get by Lemma 4.2 that |Mvals| is not 
valid in Henkin model M K = ({D a } ae ^J) for Kripke model K = (W, (R r )). R r in K is reflexive 
and transitive, hence, the relation (7r) e D l ^ l ^ (} is so as well. We leave it to the reader to verify 
that axioms R and T are valid in M K . Hence, {R, t} ^ stt |Mval j|. q.e.d 

In order to prove completeness, we introduce a mapping from Henkin models to Kripke 
models. We assume that the the signature of the modal logic contains the atomic primitives 
p l , . . . , p m for m > 1 and that the simple type theory signature correspondingly contains constants 
pj_> , • • -iPf-^o f° r m — 1 as we U as relation constant r^^g. 

Definition 4.4 (Kripke Model K M for Henkin model M) Let Henkin model M = ({D a } ae ^, 

I) be given. The Kripke model K M = (W, (R r ) , |=) for Henkin model M is defined as follows: We 
choose the set of worlds W as the set of individuals D l . Moreover, we choose |= such that w\= p l 
in K M if (Ip{^ )(w) = T in M and w \/= p 1 otherwise. Similarly, we choose R r such that wR r w' 
in K M if (/r l ^ l ^ )(>v, w') = T in M and -^{wR r w') otherwise. Clearly , if (Iri^i^ ) is reflexive 
and transitive then also R r is. It is easy to check that K M is a Kripke model. 

Lemma 4.5 Let K M = (W, (Ri)iei, \=) be a Kripke model for Henkin model M = ({D a } ae ^,I). 
For all q G L, w G W and variable assignments the following are equivalent: (i) w \= q, ( ii) 
^[w/w.U ( ll\ W) = T, and (Hi) f^/w^ (kl w ) = T - 

Proof: Analogous to Lemma 4.2. q.e.d 



3 Note that T = (n r s D s) and 4 = (D r sD d r n r^) are actually axiom schemata in modal logic. As we show here, 
their counterparts in STT actually become proper axioms. 
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We now prove completeness of the embedding of normal monomodal logics K and 54 into 
STT. As before we add axioms T and R to obtain 54. 

Theorem 4.6 (Completeness of the Embedding of K and 54 into STT) Let s e ML be a mono- 
modal logic proposition. 

1. If^ K s then \= STT \Mval s\. 

2. If \= S4 s then {R, T} \= stt \Mval s\, where R and T are shorthands for 
yX^o^Mval n r XDX\ andVX l ^ .\Mval n r XDn r n r X\ respectively. 

Proof: 

(1) The proof is by contraposition. Assume ^L STT |Mval s\, that is, for a Henkin model 
M = ({D a } a€ a?,I) and a variable assignment we have % |Mval s\ = F in M. This implies 
that there is some w € A such that ^LAyj </> ( \ s \ W) = ^ in M. By Lemma 4.5 we know that w Y= s 
in Kripke model K M = (W, (R r ), \=) for M. Hence, \£ K s. 

(2) The proof is analogous to above and from {R, t} ^= stt |Mval s\ we get with Lemma 
4.5 that w ty= s in Kripke model K M = (W, (R r ), \=) for M. However, we now additionally have 
for axioms R and T that R = T = T . We leave it to the reader to check that this implies 
reflexivity and transitivity of relation [Ir^^o). Thus, by construction, R r in K M is reflexive and 
transitive. This implies Y=- SA s. q.e.d 

Reasoning problems in modal logics K and 54 can thus be considered as reasoning problems 
in STT. Hence, any off the shelf theorem prover that is sound for STT, such as our LEO-II, 
can be applied to them. For example, ^= STT |Mval D r T|, \= STT |Mval D r flD O r a\, and \= STT 
\MvalO r (aDb) V(n r aDO r b)\ are automatically proved by LEO-II in 0.024 seconds, 0.026 
seconds, and 0.035 seconds respectively. All experiments with LEO-II reported in this paper were 
conducted with LEO-II version v0.98 4 on a notebook computer with a Intel Pentium 1.60GHz 
processor with 1GB memory running Linux. 

More impressive example problems illustrating LEO-II's performance for reasoning in and 
about multimodal logic can be found in [7]. Amongst these problems is also the equivalence 
between axioms D^Ds and \J r sDO r n r s and the reflexivity and transitivity properties of the 
accessibility relation r: 

Example 4.7 |= 57T (rat) (ref lr A trans r) where R and T are the abbreviations as 
introduced in Theorem 4.3 and ref 1 and trans abbreviations for Ai? l ^ l ^ .VX l .7?XX and 
XRi-n-to. VX t . VFj. \/Z u RX Y ARYZ^RXZ. LEO-II can solve this modal logic meta-level prob- 
lem in 2.329 seconds. 



4 LEO-II is available from http : / / www .ags.uni-sb.de/~leo/. 
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5 Embedding Access Control Logic in Simple Type Theory 

We combine the results from Sections 3 and 4 and obtain the following mapping | . | from access 
control logic ICL into STT: 

\\p\\ = \n r p\=XX l .W l .r l -> l ^ XY^p l -> Y 

\\A\\ = \A\=a t ^ (distinct from the Pi^ G ) 

|| A || = XS.XT.\SAT\ = XS l ^ .XT l ^ .XX l .SXATX 

||V|| = XS.XT.\S\/T\=XS l ^ .XT l ^ .XX l .SXVTX 

|| D || = XS.XT.\n r (SDT)\ 

= XS l ^ .XT l ^ .XX l .W l .r l ^ XY ^(SY^TY) 

||T|| = \T\ = XS l ^ .T 

|| ±|| = \±\=XS l ^ .± 

|| says || = kA.kS.\D r (AVS)\ 

= XA l ^ .XS l ^ .XX l .W l .r l ^ XY (AY V57) 

It is easy to verify that this mapping works as intended. For example: 

||admin says _L|| := ||says||||admin||||_L|| 

=j87? XX^.n^oXY (admin^y V±) 

= j8ji \O r (admin V _L) 1=^ [O r (admin V _L)J 

= Lfsdmin says _L]J 

We extend this mapping to logic ICLr^ by adding a clause for the speaks-for connective =>- : 
|| =>• || =XA.XB.\U r (A^B)\ = XA l ^ .XB l ^ .XX l .W l .r l ^ l ^ XY (AY ^ BY) 

For the translation of ICL B we simply allow that the ICL connectives can be applied to prin- 
cipals. Our mapping || . || needs not to be modified and is applicable as is. 

The notion of validity for the terms we obtain after translations is chosen identical to before 
|| ICLval|| = XA l ^ a . |Mval|A = XA l ^ .VW l .AW 

Theorem 5.1 (Soundness of the Embeddings of ICL, ICL^, and ICL B in STT) Let s G ICL (resp. 
s G ICLr^, s G ICL B ) and let R and T be as before. If{R, T} |= 5rr | iCLvals\ then h s in access 
control logic ICL ( resp. ICU^, ICL B ). 

Proof: If {R, T} \= stt |lCLvals| then ^ 54 s by Theorem 4.3 since |lCLvals| = |Mvals|. 
This implies that h \s] for the sound and complete Hilbert System for S4 studied in [15]. 5 By 
Theorem 3.4 we conclude that h s in access control logic ICL (resp. ICLr~ , ICL B ). q.e.d 



5 See Theorem 8 in [15] which is only given in the full version of the paper available from http : / /www . cs . 
emu . edu/~dg /publications .html. 
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Table 1: Performance of LEQ-II when applied to problems in access control logic ICL 



Name 


TPTP Name 


Problem 


LEO (s) 


unit 


SWV4 2 5-"~1 


P 


{R, T} \= stt ||lCLval s D (A says s)\\ 


0.031 


cue 


SWV426-"~1 


P 


{R, T} \= stt ICLval (A says (s D f)) D (A says s) D (A says f)|| 


0.083 


idem 


SWV4 2 7""~1 


P 


{R, t} \= stt ICLval (A says A says s) D (A says s)\\ 


0.037 


Exl 


SWV428 A 1 


P 


{R,T,||lCLval (1.1)||,..., || ICLval (1.3)||} \= STT ||lCLval (1.4)|| 


3.494 


unit* 


SWV425-"~2 


P 


\= STT || ICLval.? D (A says 5)|| 




cue* 


SWV426'~2 


P 


\= STT ICLval (A says (s D t)) D (A says s) D (A says t)\\ 




idem* 


SWV427 A 2 


P 


\= STT ICLval (A says A says s) D (A sayss) 






SWV428 A 2 


P 


{||lCLval (1.1)||,..., || ICLval (1.3)||} \= STT ||lCLval (1.4)|| 





Table 2: Performance of LEO-II when applied to problems in access control logic ICU^ 

Name TPTP Name Problem LEO (s) 

refl SWV429"l.p {R, t} |= 57T || ICLval A => A|| 0.052 

trans SWV430"l.p {R, t} |= 57T || ICLval (A => B) D (B C) D (A => C)|| 0.105 

sp.-for SWV431 A l.p {R, t} (= 57T || ICLval (A => B) D (A says s) D (B says s)|| 0.062 

handoff SWV432 A l.p {R, t} |= 57T || ICLval (B says (A ==>■ B)) D (A ==>• B)|| 0.036 

Ex2 SWV433"l.p {R,T,||lCLval (2.1) ||, || ICLval (2.4)||> ^ STT ||lCLval (2.5) || 0.698 

refl* SWV429"2.p 
trans* SWV4 30 A 2.p 
sp.-for* SWV4 31 /N 2.p 
handoff* SWV432"2.p 
Ex2* SWV433"2.p 



\= STT ||lCLvalA A|| 0.031 
|= S7T || ICLval (A =^ B) D (B C) D (A =^ C)|| 
^ S7T || ICLval (A => B) D (A says s) D (B says s)|| 
h srr jj ICLval (B says (A B)) D (A B)|| 
{||lCLval (2.1)||,..., ||lCLval (2.4)||} [= STT ||lCLval (2.5)11 



Theorem 5.2 (Completeness of the Embeddings of ICL, ICL^, and ICL B in STT) Let s G /CL 

( res/?. 5 G ICLr", s G ICL B ) and let R and T be as before. If\~sin access control logic ICL ( resp. 
ICU*, ICL B ) then {R, T} \= stt \ lCLvals\ 

Proof: Similar to above with Theorem 4.6 instead of Theorem 4.3. q.e.d 

We can thus safely exploit our framework to map problems formulated in the control logics 
ICL, ICLr~, and ICL B to problems in STT and we can apply the off the shelf higher-order theorem 
prover LEO-II (which itself cooperates with the first-order theorem prover E [22]) to solve them. 
Times are given in seconds. 

Table 1 shows that LEO-II can effectively prove that the axioms unit, cue and idem hold as 
expected in our embedding of ICL in STT. This provides additional evidence for the correctness 
of our approach. Example 1 can also be quickly solved by LEO-II. Problems unit*-, cue"- , idem*-, 
and Exl*- modify their counterparts by omitting the axioms R and T. Thus, they essentially test 
whether these problems can already be proven via a mapping to modal logic K instead of 54, 
which is not expected. A challenge for future work is to apply LEO-II to analyse invalidity of 
these axioms in context K and to synthesize concrete witness terms if possible. For unit^, for 
instance, the problem given to LEO-II would be 

\= STT 3s.^||lCLval j D (A says s)\\ 

Tables 2 and 3 extend our experiment to the other access control logics, axioms and examples 
presented in Section 3. In the cases of refl*- for logic ICLr* and untrust* for logic ICL B LEO-II 
shows that the axioms R and T are in fact not needed. 



12 



Table 3: Performance of LEO-II when applied to problems in access control logic ICL 



Name 


TPTP Name 


Problem 


LEO (s) 


trust 


SWV4 34--1 


P 


{R, T} \= stt ||lCLval (± says s) D s\\ 


0.049 


untrust 


SWV4 35'~1 


P 


{R, T, ||lCLval A = T||} \= STT || ICLval A says _L|| 


0.053 


cue' 


SWV436'~1 


P 


{R, T} \= stt |[lCLval ((A D B) says s) D (A says s) D (B says s)\\ 


0.131 


Ex3 


SWV4 37""~1 


P 


{R,T,||lCLval (3.1)||,..., ||lCLval (3.3)||} ^ STT ||lCLval (3.4) || 


0.076 


trust^ 


SWV434^2 


P 


\= STT || ICLval (± says s) D s\\ 




untrust^ 


SWV435^2 


P 


{||lCLvalA = T||} \= STT ||lCLvalA says _L|| 


0.041 


cue'*- 


SWV43 6^2 


P 


^ STT || ICLval ((A D B) says s) D (A says s) D (B says s)\\ 




Ex3* 


SWV437^2 


P 


{||lCLval (3.1)||,..., || ICLval (3.3)||} \= STT ||lCLval (3.4) || 





In the Appendix we present the concrete encoding or our embedding together with the prob- 
lems unit, cue, idem, and Exl in the new TPTP THF syntax [8], which is also the input syntax of 
LEO-II. 

6 Conclusion and Future Work 

We have outlined a framework for the automation of reasoning in and about different access con- 
trol logics in simple type theory. Using our framework off the shelf higher-order theorem provers 
and proof assistants can be applied for the purpose. Our embedding of access control logics in 
simple type theory and a selection of example problems have been encoded in the new TPTP THF 
syntax and our higher-order theorem prover LEO-II has been applied to them yielding promising 
initial results. Our problem encodings have been submitted to the higher-order TPTP library (see 
http://www.cs.miami.edu/~tptp/; problem domain thf) underdevelopment in the 
EU project THFTPTP and are thus available for comparison and competition with other TPTP 
compliant theorem provers. 

Future work includes the evaluation of the scalability of our approach for reasoning within 
prominent access control logics. Moreover, LEO-II could be applied to explore meta-properties 
of access control logics ICL, ICLr' , and ICL 3 analogous to Example 4.7. More generally, we 
would like to study whether our framework can fruitfully support the exploration of new access 
control logics. 

What has not been addressed in this paper due to space restrictions is our embedding of access 
control logic 7CL V into simple type theory - 7CL V is an access control logic with second-order 
quantification. 

Acknowledgements: Catalin Hritcu inspired the work presented in this paper and pointed me 
to the paper by Garg and Abadi. Chad Brown, Larry Paulson and Claus-Peter Wirth pointed me 
to some problems and typos in earlier versions of this paper. 
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7 TPTP THF Problem files for Exl 



The file ICL_k.ax presents the general definitions of our mapping from access control logics via 
modal logic K to 57T. 



% File 

% Domain 

% Axioms 

% Version 

% English 

% Refs 



% Status 
% Syntax 
% Comments 



ICL_k . ax 

ICL Logic and its translation into Modal Logic (which is 
itself modeled in simple type theory; see [2]) 

ICL logic based upon modal logic based upon simple type theory 



[1] Deepak Garg, Martin Abadi: A Modal Deconstruction of Access 
Control Logics. FoSSaCS 2008: 216-230 

[2] C. Benzmueller and L. Paulson. Exploring Properties 

of Normal Multimodal Logics in Simple Type Theory with LEO-II. 

Festschrift in Honour of Peter B. Andrews. 

See : http : //www . ags . uni-sb . de/~chris/papers/B9 .pdf 



Formalization in THF by C. Benzmueller 



%% Multimodal-Logic %% 



% This formalization of multimodal Logic follows the ideas presented in [2] 
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% The idea is that an atomic multimodal logic proposition P (of type 

% $i > $o) holds at a world W (of type $i) iff W is in P resp. (P @ W) 

% Now we define the multimodal logic connectives by reducing them to set 

% operations 

% mfalse corresponds to emptyset (of type $i) 

thf (mf alse_decl, type, ( 
mfalse : $i > $o ) ) . 

thf (mfalse, definition, 
( mfalse 

:= ( A [X: $i] : $ false ) ) ) . 

% mtrue corresponds to the universal set (of type $i) 

thf (mtrue_decl , type , ( 
mtrue : $i > $o ) ) . 

thf (mtrue, definition, 
( mtrue 

:= ( A [X: $i] : Strue ) ) ) . 

% mnot corresponds to set complement 

thf (mnot_decl, type, ( 

mnot: ( $i > $o ) > $i > $o ) ) . 

thf (mnot, definition, 
( mnot 

:= ( A [X: $i > $o,U: $i] : 
~ ( X @ U ) ) ) ) . 

% mor corresponds to set union 

thf (mor_decl , type , ( 

mor: ( $i > $o ) > ( $i > $o ) > $i > $o ) ) . 

thf (mor, definition, 
( mor 

:= ( A [X: $i > $o,Y: $i > $o,U: $i] : 
( ( X @ U ) 
I ( Y @ U ) ) ) ) ) . 

% mand corresponds to set intersection 

thf (mand_decl, type, ( 

mand: ( $i > $o ) > ( $i > $o ) > $i > $o ) ) . 

thf (mand, definition, 
( mand 

:= ( A [X: $i > $o,Y: $i > $o,U: $i] : 
( ( X @ U ) 
& ( Y @ U ) ) ) ) ) . 

% mimpl defined via mnot and mor 

thf (mimpl_decl, type, ( 

mimpl: ( $i > $o ) > ( $i > $o ) > $i > $o ) ) . 



thf (mimpl, definition, 
( mimpl 

:= ( A [U: $i > $o,V: $i > $o] : 

( mor @ ( mnot @ U ) @ V ) ) ) ) . 

% miff defined via mand and mimpl 

thf (miff_decl, type, ( 

miff: ( $i > $o ) > ( $i > $o ) > $i > $o ) ) . 

thf (miff, definition, 
( miff 

:= ( A [U: $i > $o,V: $i > $o] : 

( mand @ ( mimpl @ U @ V ) @ ( mimpl @ V @ U ) ) ) ) ) . 

% mbox 

thf (mbox_decl , type , ( 

mbox: ( $i > $i > $o ) > ( $i > $o ) > $i > $o ) ) . 
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thf (mbox, definition, 
( mbox 

:= ( * [R: $i > $i > $o,P: $i > $o,X: $i] : 
! [Y: $i] : 

( ( R @ X @ Y ) 
=> ( P @ Y ) ) ) ) ) . 

% mdia 

thf (mdia_decl, type, ( 

mdia: ( $i > $i > $o ) > ( $i > $o ) > $i > $o ) ) . 

thf (mdia, definition, 
( mdia 

:= ( * [R: $i > $i > $o,P: $i > $o,X: $i] : 
? [Y: $i] : 

( ( R @ X @ Y ) 

& ( P @ Y ) ) ) ) ) . 

% Validity of a multimodal logic formula (in logic K) can now be encoded as 

thf (mvalid_decl, type, ( 

mvalid: ( $i > $o ) > $o ) ) . 

thf (mvalid, definition, 
( mvalid 

:= ( " [P: $i > $o] : 
! [W: $i] : 

( P @ W ) ) ) ) . 



%%% ICL Logic %%% 
%%%%%%%%%%%%%%%%% 

% The encoding of ICL logic employs only one accessibility relation which 

% introduce here as a constant 'rel'; we don't need multimodal logic. 

thf (rel, type, ( 

rel : $i > $i > $o ) ) . 

% ICL logic distiguishes between atoms and principals; for this we introduce 

% a predicate ' icl_atom' . . . 

thf (icl_atom, type, ( 

icl_atom: ($i > $o) > ($i > $o) )). 

thf (icl_atom, definition, 
( icl_atom 

:= ( * [P: $i > $o] : (mbox @ rel @ P)) )). 

% . . . and also a predicate ' icl_princ' 

thf (icl_princ, type, ( 

icl_princ: ($i > $o) > ($i > $o) )). 

thf (icl_princ, definition, 
( icl_princ 

:= ( " [P: $i > $o] : P) ) ) . 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
% We introduce the logical connectives of ICL and map % 
% them to modal logic expressions as suggested in [1] % 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

% ICL and connective 

thf (icl_and, type, ( 

icl_and: ($i > $o) > ($i > $o) > ($i > $o) )). 

thf (icl_and, definition, 
( icl_and 

:= ( * [A: $i > $o, B: $i > $o] : (mand @ A @ B) ) )). 

% ICL or connective 

thf (icl_or, type, ( 

icl_or: ($i > $o) > ($i > $o) > ($i > $o) )). 
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thf (icl_or, definition, 
( icl_or 

:= ( A [A: $i > $o, B: $i > $o] : (mor @ A @ B) ) )). 

% ICL implication connective 

thf ( icl_impl , type , ( 

icl_impl: ($i > $o) > ($i > $o) > ($i > $o) )). 

thf (icl_impl, definition, 
( icl_impl 

= ( A [A: $i > $o, B: $i > $o] : (mbox @ rel @ (mimpl @ A @ B) ) ) )). 

% ICL true connective 

thf (icl_true, type, ( 

icl_true : ($i > $o) ) ) . 

thf (icl_true, definition, 
( icl_true 
: = mtrue ) ) . 

% ICL false connective 

thf (icl_false, type, ( 

icl_false : ($i > $o) ) ) . 

thf (icl_f alse, definition, 
( icl_false 
: = mf alse ) ) . 

% ICL says connective 

thf ( icl_says , type , ( 

icl_says: ($i > $o) > ($i > $o) > ($i > $o) )). 

thf (icl_says, definition, 
( icl_says 

:= ( A [A: $i > $o, S: $i > $o] : (mbox @ rel @ (mor @ A @ S) ) ) )). 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
% ICL notions of validity wrt . K % 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

% An ICL formula is K-valid if its translation into modal logic is valid 

thf ( iclval_decl , type , ( 

iclval : ( $i > $o ) > $o ) ) . 

thf (icl_s4_valid, definition, 
( iclval 

:= ( A [X: $i > $o] : (mvalid @ X) ) )). 



The file ICL_s4.ax provides the axioms R and T are added to to obtain a mapping into modal 
logic S4. 



% File 

% Domain 

% Axioms 

% Version 

% English 

% Refs 



% Status 
% Syntax 
% Comments 



ICL_s4 . ax 

ICL Logic and its translation into Modal Logic (which is 
itself modeled in simple type theory; see [2]) 

ICL logic based upon modal logic based upon simple type theory 



[1] Deepak Garg, Martin Abadi : A Modal Deconstruction of Access 
Control Logics. FoSSaCS 2008: 216-230 

[2] C. Benzmueller and L. Paulson. Exploring Properties 

of Normal Multimodal Logics in Simple Type Theory with LEO-II. 

Festschrift in Honour of Peter B. Andrews. 

See : http : //www. ags . uni-sb . de/~chris /papers /B 9 . pdf 



Formalization in THF by C. Benzmueller 
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% ICL notions of validity wrt S4 



% We add the reflexivity and the transitivity axiom to obtain S4 . 

thf (refl_axiom f axiom, 

( ! [A: ($i>$o) ] : (mvalid @ (mimpl @ (mbox @ rel @ A) @ A) ) )). 

thf (trans_axiom, axiom, 

( ! [B: ($i>$o) ] : (mvalid @ (mimpl @ (mbox @ rel @ B) @ 

(mbox @ rel @ (mbox @ rel @ B ) ) ) ) ) ) . 



File ICL_exl_s4.thf contains the encoding of Example 1. 



% File 

% Domain 

% Axioms 

% Version 

% English 

% Refs 



% Status 
% Syntax 
% Comments 



ICL_exl_s4 . thf 

ICL Logic and its translation into Modal Logic (which is 
itself modeled in simple type theory; see [2]) 



ICL logic mapping to modal logic S4 implies 'Exl'; see p. 4 of [1] 
[1] Deepak Garg, Martin Abadi : A Modal Deconstruction of Access 
Control Logics. FoSSaCS 2008: 216-230 

[2] C. Benzmueller and L. Paulson. Exploring Properties 

of Normal Multimodal Logics in Simple Type Theory with LEO-II. 

Festschrift in Honour of Peter B. Andrews. 

See : http : //www . ags . uni-sb . de/~chris/papers/B9 .pdf 

Theorem (Henkin semantics) 

Formalization in THF by C. Benzmueller 



include ( ' ICL_k . ax' ) . 
include ( ' ICL_s4 . ax' ) . 

% The principals 

thf (admin, type, ( 

admin : $i > $o ) ) . 

thf (bob, type, ( 

bob: $i > $o ) ) . 

% The atomic propositions 

thf (deletfilel, type, ( 

deletefilel: $i > $o )). 

% The axioms of the example problem 

% (admin says deletefilel) => deletfilel 

thf (axl, axiom, 
(iclval @ 

(icl_impl @ (icl_says @ (icl_princ @ admin) @ (icl_atom @ deletefilel)) 
@ (icl_atom @ deletefilel)) )). 

% (admin says ((bob says deletefilel) => deletfilel)) 

thf (ax2, axiom, 
(iclval @ 

(icl_says @ (icl_princ @ admin) 

@ (icl_impl @ (icl_says @ (icl_princ @ bob) 

@ (icl_atom @ deletefilel)) 
@ (icl_atom @ deletefilel))) )). 

% (bob says deletefilel) 

thf (ax3, axiom, 

(iclval @ (icl_says @ (icl_princ @ bob) @ (icl_atom @ deletefilel) ) ) ) . 

% We prove: It holds deletefilel 

thf (exl, conjecture, 
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(iclval @ (icl_atom @ deletefilel) )). 



Files ICL_unit_s4.thf, ICL_cuc_s4.thf, and ICL_idem_s4.thf contain the encodings of the 
axioms unit, cue and idem as proof problems. 



File 


ICL_unit_s4 .thf 




Domain 


ICL Logic and its translation into Modal Logic S4 (which 
itelf modeled in simple type theory; see [2]) 


is 


Axioms 






Version 






English 


ICL logic mapping to modal logic implies 'unit'; see p. 3 


of [1] 


Ref s 


[1] Deepak Garg, Martin Abadi : A Modal Deconstruction of 
Control Logics. FoSSaCS 2008: 216-230 

[2] C. Benzmueller and L. Paulson. Exploring Properties 


Access 




of Normal Multimodal Logics in Simple Type Theory with LEO-II. 




Festschrift in Honour of Peter B. Andrews. 






See : http : //www . ags . uni-sb . de/~chris /papers /B 9 . pdf 




Status 


Theorem (Henkin semantics) 




Syntax 






Comments 


Formalization in THF by C. Benzmueller 





include ( ' ICL_k . ax' ) . 
include ( ' ICL_s4 . ax' ) . 

% We introduce an arbitrary atom s 

thf (s, type, ( 

s : $i > $o ) ) . 

% We introduce an arbitrary principal a 

thf (a, type, ( 

a : $i > $o ) ) . 

% Can we prove 'unit'? 

thf (unit, conjecture, 

( iclval @ (icl_impl @ (icl_atom @ s) 

@ (icl_says @ (icl_princ @ a) @ (icl_atom @ s))) )). 



File 
Domain 

Axioms 
Version 
English 
Ref s 



% Status 
% Syntax 
% Comments 



ICL_cuc_s4 .thf 

ICL Logic and its translation into Modal Logic S4 (which is 
itelf modeled in simple type theory; see [2]) 



ICL logic mapping to modal logic implies 'cue'; see p. 3 of [1] 
[1] Deepak Garg, Martin Abadi: A Modal Deconstruction of Access 
Control Logics. FoSSaCS 2008: 216-230 

[2] C. Benzmueller and L. Paulson. Exploring Properties 

of Normal Multimodal Logics in Simple Type Theory with LEO-II. 

Festschrift in Honour of Peter B. Andrews. 

See : http : / /www . ags . uni-sb . de /~chr is /papers /B9 . pdf 

Theorem (Henkin semantics) 

Formalization in THF by C. Benzmueller 



include ( ' ICL_k . ax' ) . 
include ( ' ICL_s4 . ax' ) . 

% We introduce an arbitrary atom s and t 

thf (s, type, ( 

s : $i > $o ) ) . 



thf (t, type, ( 

t : $i > $o ) ) . 
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% We introduce an arbitrary principal a 

thf (a, type, ( 

a : $i > $o ) ) . 



%% Can we prove 'cue'? 

thf (cue, conjecture, 
(iclval @ 
( icl_impl 



@ (icl_says @ (icl_princ @ a) @ (icl_impl @ 

@ 



( icl_atom 
(icl_atom 



s) 

t) ) ) 



( icl_impl 
@ (icl_says 
@ (icl_says 



( icl_pr inc 
( icl_pr inc 



a) 
a) 



(icl_atom @ s) ) 
(icl_atom @ t) ) ) ) 



) ) ■ 



% File 

% Domain 

% Axioms 

% Version 

% English 

% Refs 



% Status 
% Syntax 
% Comments 



ICL_idem_s4 . thf 

ICL Logic and its translation into Modal Logic S4 
itelf modeled in simple type theory; see [2]) 



(which is 



ICL logic mapping to modal logic implies 'idem'; see p. 3 of [1] 
[1] Deepak Garg, Martin Abadi : A Modal Deconstruction of Access 
Control Logics. FoSSaCS 2008: 216-230 

[2] C. Benzmueller and L. Paulson. Exploring Properties 

of Normal Multimodal Logics in Simple Type Theory with LEO-II. 

Festschrift in Honour of Peter B. Andrews. 

See : http : //www . ags . uni-sb . de/~chris/papers/B9 . pdf 

Theorem (Henkin semantics) 

Formalization in THF by C. Benzmueller 



include ( ' ICL_k . ax' ) . 
include ( ' ICL_s4 . ax' ) . 

% We introduce an arbitrary atom s and t 

thf (s, type, ( 

s : $i > $o ) ) . 

% We introduce an arbitrary principal a 

thf (a, type, ( 

a : $i > $o ) ) . 

% Can we prove ' idem' ? 

thf (idem, conjecture, 
(iclval @ 
( icl_impl 

@ (icl_says @ (icl_princ @ a) @ (icl_says @ (icl_princ @ a) 

@ (icl_atom @ s) ) ) 

@ (icl_says @ (icl_princ @ a) @ (icl_atom @ s))))). 



